package com.can.lesson01;

import com.can.lesson01.utils.JdbcUtils;

import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.Statement;

public class SQL注入 {
    public static void main(String[] args) {

//        login("can1","123"); //正常登录
        login(" ' or '1=1","123' or '1=1"); // SQL注入
    }

    //登录业务
    private static void login(String username,String password){
        Connection conn = null;
        Statement st = null;
        ResultSet rs = null;
        try {
            conn = JdbcUtils.getConnection();
            st = conn.createStatement();

            //SQL
            //select * from users where name = '' or '1=1' and password='123' or '1=1';
            String sql = "select * from users where `name`='"+username+"'"+"AND "+"`password`='"+password+"'";
            rs = st.executeQuery(sql);
            while (rs.next()){
                System.out.println(rs.getObject("name"));
                System.out.println(rs.getObject("password"));
                System.out.println("============");
            }
        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            //6.释放连接
            JdbcUtils.release(conn,st,rs);
        }
    }
}
